We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

Court of Justice invalidates legal foundation for Safe Harbor

On 6 October 2015, the EU Court of Justice invalidated the Safe Harbor decision previously issued by the European Commission (Decision 2000/520). The Decision recognized US Safe Harbor principles as offering an adequate level of protection for personal data and allowed for the lawful transfer of personal data from the EU to the US. This landmark ruling was issued in the case of Maximilian Schrems v Data Protection Commissioner (Case C- 362/14).

Safe Harbor was the US’s response to EU data protection laws which prohibit the transfer of personal data to a country outside the EU unless the country ensures an "adequate level of protection of personal data". Safe Harbor intended to provide an adequate level of protection.

The Court found the Decision to be invalid for several reasons, the most important of which being that the Decision contains various derogations from the level of protection, including some that allow Safe Harbor to be bypassed/ignored for US national security reasons. The Court, following its Advocate General, stressed that US public authorities’ access - on a generalized basis - to content in electronic communications must be regarded as an invasion of privacy.

It will now be up to national data protection authorities of Member States to decide whether particular data transfers to the US receive an "adequate level of protection".

If personal data is transferred to US organizations, we recommend businesses in the EU to:

assess which safeguards were implemented to assure adequate protection; Safe Harbor is not the only means for a lawful transfer of data to the US; and

if Safe Harbor was relied upon, consider implementing other safeguards, such as obtaining the unambiguous consent of data subjects for the transfer or implementing binding corporate rules (BCR).

Entering into the so-called EU model contracts is another alternative. At this moment however, it is unclear how reliable the model contracts are since they contain a considerable limitation of the supervisory powers of national data protection authorities. In fact, the European Court listed this limitation as a key reason it invalidated the Decision.

Compare jurisdictions: Arbitration

"Lexology is one of the few newsfeeds that I do actually look over as and when it comes in - the information is current; has good descriptive headings so I can see quickly what the articles relate to and is not too long."